Guidelines and Limitations for Interfaces

VLAN Subinterfaces

This document discusses FXOS VLAN subinterfaces only. You can separately create subinterfaces within the threat defense application. See FXOS Interfaces vs. Application Interfaces for more information.

Subinterfaces (and the parent interfaces) can only be assigned to container instances.

Note	If you assign a parent interface to a container instance, it only passes untagged (non-VLAN) traffic. Do not assign the parent interface unless you intend to pass untagged traffic. For Cluster type interfaces, the parent interface cannot be used.

Subinterfaces are supported on Data or Data-sharing type interfaces, as well as Cluster type interfaces. If you add subinterfaces to a Cluster interface, you cannot use that interface for a native cluster.
For multi-instance clustering, FXOS subinterfaces are not supported on Data interfaces. However, subinterfaces are supported for the cluster control link, so you can use either a dedicated EtherChannel or a subinterface of an EtherChannel for the cluster control link. Note that application-defined subinterfaces are supported for Data interfaces.
You can create up to 500 VLAN IDs.
See the following limitations within the logical device application; keep these limitations in mind when planning your interface allocation.
- You cannot use subinterfaces for an threat defense inline set or as a passive interface.
- If you use a subinterface for the failover link, then all subinterfaces on that parent, and the parent itself, are restricted for use as failover links. You cannot use some subinterfaces as failover links, and some as regular data interfaces.

Supported for physical interfaces (both regular and breakout ports) and EtherChannels. Subinterfaces are not supported.
Link state propagation is supported.
Do not enable Hardware Bypass and link state propagation for the same inline set.

Supported for the threat defense; you can use them as regular interfaces for the ASA.
The threat defense only supports Hardware Bypass with inline sets.
Hardware Bypass-capable interfaces cannot be configured for breakout ports.
You cannot include Hardware Bypass interfaces in an EtherChannel and use them for Hardware Bypass; you can use them as regular interfaces in an EtherChannel.
Hardware Bypass is not supported with High Availability.
Do not enable Hardware Bypass and link state propagation for the same inline set.

For native instances:

Default MAC address assignments depend on the type of interface.

Physical interfaces—The physical interface uses the burned-in MAC address.
EtherChannels—For an EtherChannel, all interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links. The port-channel interface uses a unique MAC address from a pool; interface membership does not affect the MAC address.

For container instances:

MAC addresses for all interfaces are taken from a MAC address pool. For subinterfaces, if you decide to manually configure MAC addresses, make sure you use unique MAC addresses for all subinterfaces on the same parent interface to ensure proper classification. See Automatic MAC Addresses for Container Instance Interfaces.